The United Arab Emirates continues to wrestle with Research in Motion over government access to BlackBerry messages, threatening to ban the company’s services if it doesn’t severely weaken the anti-snooping protections on its smartphones. But years before the RIM battle boiled over, other Western companies handed the country a far greater power: the capability to infiltrate the secure system used by most banking, mail, and financing sites, making the most protected data on the Web available to the prying eyes of the emirates’ government-connected telecommunications giant.

To understand how this happened, you need to understand the way much of the Web’s private traffic stays private. Whenever you’re sending sensitive information online—say, your credit card number to Amazon or a message over Gmail—the content is encrypted before being sent and then decrypted by the Web site you sent it to. (Sites using this secure mode have URLs that start with “https,” and browsers add a padlock icon as well to demonstrate you’re communicating securely.) Every vendor has its own rules for how to scramble information so that only it, the intended recipient, can decode it. If anyone intercepts the message along the way, it will appear to be a meaningless digital jumble.

For the full article, see here.

Now you know a less-spoken reason why Google has gone to the mattresses over Chinese hacking. Always in the cards, since the birth of the Web, was the possibility that some great Internet business—a Yahoo or Google or Amazon or Facebook—would be destroyed overnight by a cataclysmic loss of trust in its protection of consumer data.

We haven’t seen this phenomenon yet, but it has seemed almost inevitable that sooner or later we will.

Google’s response to the discovery that Chinese hackers—likely government hackers—had tried to ransack its servers has been both energetic and obfuscating. “We love China and the Chinese people,” said CEO Eric Schmidt. “This is not about them. It’s about our unwillingness to participate in censorship.”

This was good PR—changing the subject from the very touchy one of data security. It may also have been good strategy, putting China on the defensive about blocking its own citizens’ access to information. Your move, Beijing.

It was also brave in a way other businesses in China haven’t been brave, and perhaps can’t afford to be. Hard to imagine, after all, is the cream of Chinese youth, the hope of its future, laying flowers of solidarity on the doorstep of, say, Northrop Grumman.

But one thing Google’s response wasn’t was entirely straightforward. The issue isn’t censorship but data security. Google may deserve every salaam for its willingness to go to war with China over its users’ data privacy, but it has been careful not to advertise that that’s what the showdown is really about. Ditto the Obama administration, which has taken up the censorship theme but has no answer for what really happened in the Google hack, which included breaking into individual email accounts.

You can understand their delicacy. Refusing to comply with China’s censorship directives, as Google is now doing, doesn’t actually make anyone’s data safer. Even pulling down its Chinese search engine altogether, as Google says it’s prepared to do, wouldn’t make Google’s servers in the U.S. or anywhere else more secure from determined hackers sponsored by the Chinese government.

Nobody wants to talk about this, because nobody has an answer for it. Even less given the stampede of businesses large and small to entrust their propriety data to “the cloud.” But let’s face it: If you are among the millions of users of Google’s many services, which include a lot more than typing your perhaps not always creditable whims into its search engine, by now on some gloomy afternoon you have already involuntarily paused and wondered what exactly Google makes of all your information.

It doesn’t take much to trip the anxiety switch even without worrying about data leakage to outsiders. In the near future, because you once typed in a search for hemorrhoid creams, will you see hemorrhoid ads flashing on electronic billboards as your car passes by? Will your Thanksgiving football fest with the in-laws be interrupted with TV commercials for hemorrhoid creams unless you take yourself out of the room? (Microsoft already is developing for its xBox game and video machine a capacity to watch who’s watching).

The Chinese government may not have anything to gain by embarrassing you in front of your children or employer, but state-sponsored hacking can potentially serve many purposes, from espionage and economic sabotage to blackmail and short-selling opportunities.

Even more likely, hacking could be Beijing’s way of extorting corporate compliance with its other goals. That’s why Google’s tactic of thumbing its nose at China’s censorship rules is at least inspired gamesmanship. Message to China: You have something to lose too.

It’s also why the response of other companies has been worrisome in its wussiness. Motorola is widely named in the press as having been hacked by Chinese operatives in the same incident as Google. Motorola’s response? “Motorola is committed to offering the most innovative mobile products and experiences in China.”

If China’s hacking is essentially a power play, silence is the wrong answer. In the early 1990s, the world studiously ignored evidence that China’s military was behind much of the piracy in the vital trade lanes of the South China Sea. The parallel is a close one, because China’s motive appeared to be an assertion of sovereignty as much as a grab for booty.

Hong Kong, still a British possession at the time, bravely collected the evidence, including serial numbers of Chinese patrol boats involved in the attacks. But it was allowed to present its findings only orally to the U.N. International Maritime Organization—because a written report would have required the agency to acknowledge the information and act on it.

Nobody wanted to know because nobody knew how to do deal with Chinese state-sponsored piracy, though it turned out the best way to deal with it was simply to advertise what was known about China’s participation in piracy.

Printed in The Wall Street Journal Asia, page 15

In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.

Google’s system isn’t unique. Democratic governments around the world — in Sweden, Canada and the UK, for example — are rushing to pass laws giving their police new powers of Internet surveillance, in many cases requiring communications system providers to redesign products and services they sell.

Many are also passing data retention laws, forcing companies to retain information on their customers. In the U.S., the 1994 Communications Assistance for Law Enforcement Act required phone companies to facilitate FBI eavesdropping, and since 2001, the National Security Agency has built substantial eavesdropping systems with the help of those phone companies.

Systems like these invite misuse: criminal appropriation, government abuse and stretching by everyone possible to apply to situations that are applicable only by the most tortuous logic. The FBI illegally wiretapped the phones of Americans, often falsely invoking terrorism emergencies, 3,500 times between 2002 and 2006 without a warrant. Internet surveillance and control will be no different.

Official misuses are bad enough, but it’s the unofficial uses that worry me more. Any surveillance and control system must itself be secured. An infrastructure conducive to surveillance and control invites surveillance and control, both by the people you expect and by the people you don’t.

China’s hackers subverted the access system Google put in place to comply with U.S. intercept orders. Why does anyone think criminals won’t be able to use the same system to steal bank account and credit card information, use it to launch other attacks or turn it into a massive spam-sending network? Why does anyone think that only authorized law enforcement can mine collected Internet data or eavesdrop on phone and IM conversations?

These risks are not merely theoretical. After September 11, the NSA built a surveillance infrastructure to eavesdrop on telephone calls and e-mails within the U.S. Although procedural rules stated that only non-Americans and international phone calls were to be listened to, actual practice didn’t match those rules. NSA analysts collected more data than they were authorized to and used the system to spy on wives, girlfriends and notables such as President Clinton.

But that’s not the most serious misuse of a telecommunications surveillance infrastructure. In Greece, between June 2004 and March 2005, someone wiretapped more than 100 cell phones belonging to members of the Greek government: the prime minister and the ministers of defense, foreign affairs and justice.

Ericsson built this wiretapping capability into Vodafone’s products and enabled it only for governments that requested it. Greece wasn’t one of those governments, but someone still unknown — A rival political party? Organized crime? Foreign intelligence? — figured out how to surreptitiously turn the feature on.

And surveillance infrastructure can be exported, which also aids totalitarianism around the world. Western companies like Siemens and Nokia built Iran’s surveillance. U.S. companies helped build China’s electronic police state. Just last year, Twitter’s anonymity saved the lives of Iranian dissidents, anonymity that many governments want to eliminate.

In the aftermath of Google’s announcement, some members of Congress are reviving a bill banning U.S. tech companies from working with governments that digitally spy on their citizens. Presumably, those legislators don’t understand that their own government is on the list.

This problem isn’t going away. Every year brings more Internet censorship and control, not just in countries like China and Iran but in the U.S., the U.K., Canada and other free countries, egged on by both law enforcement trying to catch terrorists, child pornographers and other criminals and by media companies trying to stop file sharers.

The problem is that such control makes us all less safe. Whether the eavesdroppers are the good guys or the bad guys, these systems put us all at greater risk. Communications systems that have no inherent eavesdropping capabilities are more secure than systems with those capabilities built in. And it’s bad civic hygiene to build technologies that could someday be used to facilitate a police state.

The opinions expressed in this commentary are solely those of Bruce Schneier.

Resolving questions about the command’s mission are central not only to the effort to defend military networks, which come under assault millions of times a day, but to establishing the Pentagon’s cyber strategy as the United States enters an era in which any major conflict will almost certainly involve an element of cyberwarfare.

“I don’t think there’s any dispute about the need for Cyber Command,” said Paul B. Kurtz, a cybersecurity expert who served in the George W. Bush and Clinton administrations. “We need to do better defending DOD networks and more clearly think through what we’re going to do offensively in cyberspace. But the question is how does that all mesh with existing organizations and authorities? The devil really is in the details.”

Officials said the initial operating plan for a cyber command is straightforward: to merge the Pentagon’s defensive unit, Joint Task Force-Global Network Operations, with its offensive outfit, the Joint Functional Command Component-Network Warfare, at Fort Meade, home to the NSA. The new command, which would include about 500 staffers, would leverage the NSA’s technical capabilities but fall under the Pentagon’s Strategic Command.

The plan also calls for beefing up “intelligence sensing,” or the blocking of malicious software and codes entering military networks, officials said.
What level of defense?

But the plan becomes more complicated as policymakers assess how aggressive to be in their defense of military networks.

Data move at the speed of light along channels owned by commercial carriers, entering government networks at “gateways,” or at the perimeter. Technology exists to detect malware at the gateways and in the commercial networks, but the ability to use that technology has given rise to policy questions.

One senior defense official said officials are trying to figure out, for instance, to what extent it is legal and desirable to remove malware outside the gateways as it heads to military networks.

“What can you do at the perimeter?” he said. “What can you do outside the perimeter? We haven’t had resolution on that.”

Privacy advocates are sensitive to government monitoring of communications networks at or just outside the gateways, particularly if the effort involves private Internet carriers, out of concern that purely private, non-government communications could be monitored. But defense officials said they are not contemplating the involvement of private firms.

The Pentagon is working with the Justice Department, the Department of Homeland Security, the White House and other agencies to ensure its efforts are legal and synchronized within a national cyber-policy framework, officials said. Congressional buy-in is important, they said. So far congressional staff have been briefed three times, and the Pentagon hopes to brief lawmakers this month.

Officials said members of the Senate Armed Services Committee will hold the confirmation hearing for a new director once staff are satisfied they understand the command’s purpose and operating plan.

“Our goal here is to better protect our forces,” said Deputy Assistant Secretary of Defense Robert J. Butler. “If someone can intrude inside the network, it could impair our ability to communicate and operate.”

President Obama has nominated the director of the NSA, Lt. Gen. Keith B. Alexander, to head the command. Alexander, who would become a four-star general, must be confirmed in that position before the command can launch at “initial operating capability.” It is scheduled to become fully operational by Oct. 1.

Sen. Bill Nelson (D-Fla.), chairman of the Armed Services emerging threats subcommittee, said that though there are “some policy questions” to be answered, he was confident Alexander would be confirmed.

Nonetheless, the NSA’s involvement, given the past controversy, has raised questions of oversight.

“How do we make sure that if the National Security Agency is involved, that we don’t have a problem with people seeing other people’s information?” the defense official said, describing one congressional concern. “We’ve made it very clear. No information will be shared other than to support what we need to defend the networks — the defense military information networks. The rest of that information, NSA is bound by legal rules” to protect Americans’ privacy.
Defining ‘defense’

NSA Deputy Director Chris Inglis said in a recent interview that “90 percent” of the command’s focus will be on defensive measures because “that’s where we are way behind.”

“If we led with attack, people would say, ‘That’s just nuts. That’s completely irrational,’ ” he said. “You’ve got to be about the defense.”

Other intelligence experts, however, said that the term “defense” is malleable. They argue that the government is spending a significant amount of money on classified cyber programs to develop offensive capabilities.

Beyond a cyber command, the Pentagon is grappling with a dizzying array of policy and doctrinal questions involving cyber warfare.

Who should authorize a cyber attack on an adversary that might be capable of undermining the United States’ financial system or energy infrastructure? What degree of certainty is needed about an alleged attacker before authorizing a response? When does an effort to defend a U.S. military network cross the line into an offensive action?

Many of these questions will be answered down the road, after the command is launched, and perhaps some won’t be answered for years, defense officials said.

Still, such issues are important ones, said one official familiar with the Pentagon’s plans, who was not authorized to speak for the record. “The rules can vary dramatically depending upon under what authority you’re doing something,” he said. “An offensive action is not a decision that can be taken very lightly. It is an extraordinary action because of the consequences that could result for either DOD or the intelligence community or critical U.S. industries.”